Below are the basic instructions to use the QRadar Console. To access the console, make sure you are connected to the Secure ISS SOC Network via a VPN using Palo Alto’s Global Protect VPN client.
For instructions on setting this up, please read the Setup Guide Q Radar VPN Access.
The Dashboard View provides a nice birds-eye summary of the network, but you can drill down further by selecting one of the other menu items such as Offenses. From this perspective, the view is more granular, in this case to Offenses. An Offense is simply a collection of events that QRadar has grouped together due to some commonality.
Note: An Offense does not necessarily mean the network is under attack. It is simply the term used by QRadar for a group of events with some common elements. Other SIEM systems may refer to an Offense as an Alert.
The Section below explains how to drill-down into the items. We will use the Offenses menu for this example, but the other menu items operate in a similar way.
Note: When conducting a Search or applying a Filter, QRadar is asked to perform a computational task on what can sometimes be a large amount of data. Be patient. It can time many seconds or longer to display the result.
A quick way to conduct a search is to use the Quick Search function.
Note: When conducting a Search it is good practice to narrow your parameter selection to one that is Indexed, as in the example provided. Indexed items are searchable much more efficiently in QRadar and can provide results much quicker.
If using the QRadar Console is something of interest and you wish to dive deeper, there are some great resources online. Try the YouTube channel of Jose Bravo found here. https://www.youtube.com/c/jbravovideos/videos